Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: botan3

Found 6 matching suggestions

View:
Compact
Detailed
Published
Permalink CVE-2026-44378
6.9 MEDIUM
  • CVSS version (CVSS): 4.0
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Attack Requirement (AT): None (N)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Vulnerable System Impact Confidentiality (VC): None (N)
  • Vulnerable System Impact Integrity (VI): None (N)
  • Vulnerable System Impact Availability (VA): Low (L)
  • Subsequent System Impact Confidentiality (SC): None (N)
  • Subsequent System Impact Integrity (SI): None (N)
  • Subsequent System Impact Availability (SA): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Attack Requirement (MAT): None (N)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Vulnerable System Impact Confidentiality (MVC): None (N)
  • Modified Vulnerable System Impact Integrity (MVI): None (N)
  • Modified Vulnerable System Impact Availability (MVA): Low (L)
  • Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
  • Modified Subsequent System Impact Integrity (MSI): Negligible (N)
  • Modified Subsequent System Impact Availability (MSA): Negligible (N)
  • Safety (S): Not Defined (X)
  • Automatable (AU): Not Defined (X)
  • Recovery (R): Not Defined (X)
  • Value Density (V): Not Defined (X)
  • Vulnerability Response Effort (RE): Not Defined (X)
  • Provider Urgency (U): Not Defined (X)
  • Confidentiality Req. (CR): Not Defined (X)
  • Integrity Req. (IR): Not Defined (X)
  • Availability Req. (AR): Not Defined (X)
  • Exploit Maturity (E): Not Defined (X)
updated 2 weeks, 2 days ago by @LeSuisse Activity log
  • Created suggestion 2 weeks, 3 days ago
  • @LeSuisse ignored
    7 packages
    • botanEsdm
    • emiluaPlugins.botan
    • python312Packages.botan3
    • python313Packages.botan3
    • python314Packages.botan3
    • haskellPackages.botan-low
    • haskellPackages.botan-bindings
    2 weeks, 2 days ago
  • @LeSuisse accepted 2 weeks, 2 days ago
  • @LeSuisse published on GitHub 2 weeks, 2 days ago
Botan: Quadratic complexity decoding BER indefinite length encodings

Botan is a C++ cryptography library. Prior to 3.12.0, certain patterns of indefinite length encodings in BER data could cause quadratic behavior in the parser, resulting in a denial of service. Such BER encodings were accepted even in structures which are required to be encoded as DER, which prohibits indefinite length encodings. This vulnerability is fixed in 3.12.0.

Affected products

botan
  • ==< 3.12.0

Matching in nixpkgs

pkgs.botan3

Cryptographic algorithms library

Ignored packages (7)

Package maintainers

Published
Permalink CVE-2026-34580
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    8 packages
    • botan2
    • emiluaPlugins.botan
    • python312Packages.botan3
    • python313Packages.botan3
    • python314Packages.botan3
    • haskellPackages.botan-low
    • haskellPackages.botan-bindings
    • chickenPackages_5.chickenEggs.botan
    2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse published on GitHub 2 months ago
Botan has a certificate authentication bypass due to trust anchor confusion

Botan is a C++ cryptography library. In 3.11.0, the function Certificate_Store::certificate_known had a misleading name; it would return true if any certificate in the store had a DN (and subject key identifier, if set) matching that of the argument. It did not check that the cert it found and the cert it was passed were actually the same certificate. In 3.11.0 an extension of path validation logic was made which assumed that certificate_known only returned true if the certificates were in fact identical. The impact is that if an end entity certificate is presented, and its DN (and subject key identifier, if set) match that of any trusted root, the end entity certificate is accepted immediately as if it itself were a trusted root. , This vulnerability is fixed in 3.11.1.

Affected products

botan
  • ==>= 3.11.0, < 3.11.1

Matching in nixpkgs

pkgs.botan3

Cryptographic algorithms library

Ignored packages (8)

Package maintainers

Published
Permalink CVE-2026-34582
updated 2 months ago by @LeSuisse Activity log
  • Created suggestion 2 months ago
  • @LeSuisse ignored
    8 packages
    • emiluaPlugins.botan
    • python312Packages.botan3
    • python313Packages.botan3
    • python314Packages.botan3
    • haskellPackages.botan-low
    • haskellPackages.botan-bindings
    • chickenPackages_5.chickenEggs.botan
    • botan2
    2 months ago
  • @LeSuisse accepted 2 months ago
  • @LeSuisse published on GitHub 2 months ago
Botan has a TLS 1.3 certificate authentication bypass

Botan is a C++ cryptography library. Prior to version 3.11.1, the TLS 1.3 implementation allowed ApplicationData records to be processed prior to the Finished message being received. A server which is attempting to enforce client authentication via certificates can by bypassed by a client which entirely omits Certificate, CertificateVerify, and the Finished message and instead sends application data records. This vulnerability is fixed in 3.11.1.

Affected products

botan
  • ==< 3.11.1

Matching in nixpkgs

pkgs.botan3

Cryptographic algorithms library

Ignored packages (8)

Package maintainers

Published
Permalink CVE-2026-32883
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @mweinelt ignored
    9 packages
    • botan2
    • botanEsdm
    • emiluaPlugins.botan
    • python312Packages.botan3
    • python313Packages.botan3
    • python314Packages.botan3
    • haskellPackages.botan-low
    • haskellPackages.botan-bindings
    • chickenPackages_5.chickenEggs.botan
    2 months, 2 weeks ago
  • @mweinelt accepted 2 months, 2 weeks ago
  • @mweinelt published on GitHub 2 months, 2 weeks ago
Botan: Missing OCSP Response Signature Verification Allows MitM Certificate Revocation Bypass

Botan is a C++ cryptography library. From version 3.0.0 to before version 3.11.0, during X509 path validation, OCSP responses were checked for an appropriate status code, but critically omitted verifying the signature of the OCSP response itself. This issue has been patched in version 3.11.0.

Affected products

botan
  • ==>= 3.0.0, < 3.11.0

Matching in nixpkgs

pkgs.botan3

Cryptographic algorithms library

Ignored packages (9)

Package maintainers

https://github.com/randombit/botan/security/advisories/GHSA-9j2j-hqmc-hf5x
Published
Permalink CVE-2026-32877
8.2 HIGH
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): Low (L)
  • Integrity (I): None (N)
  • Availability (A): High (H)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): None (N)
  • Modified Availability (MA): High (H)
updated 2 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @mweinelt ignored
    9 packages
    • botan2
    • botanEsdm
    • emiluaPlugins.botan
    • python312Packages.botan3
    • python313Packages.botan3
    • chickenPackages_5.chickenEggs.botan
    • haskellPackages.botan-bindings
    • haskellPackages.botan-low
    • python314Packages.botan3
    2 months, 2 weeks ago
  • @mweinelt accepted 2 months, 2 weeks ago
  • @mweinelt published on GitHub 2 months, 2 weeks ago
Botan: Heap Buffer Over-read in SM2 Decryption via Undersized C3 Hash Field

Botan is a C++ cryptography library. From version 2.3.0 to before version 3.11.0, during SM2 decryption, the code that checked the authentication code value (C3) failed to check that the encoded value was of the expected length prior to comparison. An invalid ciphertext can cause a heap over-read of up to 31 bytes, resulting in a crash or potentially other undefined behavior. This issue has been patched in version 3.11.0.

Affected products

botan
  • ==>= 2.3.0, < 3.11.0

Matching in nixpkgs

pkgs.botan3

Cryptographic algorithms library

Ignored packages (9)

Package maintainers

https://github.com/randombit/botan/security/advisories/GHSA-7jj6-4r42-w9h6
Published
Permalink CVE-2026-32884
5.9 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality (C): None (N)
  • Integrity (I): High (H)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): High (H)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): None (N)
  • Modified Confidentiality (MC): None (N)
  • Modified Scope (MS): Unchanged (U)
  • Modified Integrity (MI): High (H)
  • Modified Availability (MA): None (N)
updated 2 months, 2 weeks ago by @mweinelt Activity log
  • Created suggestion 2 months, 2 weeks ago
  • @mweinelt ignored
    9 packages
    • botan2
    • botanEsdm
    • emiluaPlugins.botan
    • python312Packages.botan3
    • python313Packages.botan3
    • python314Packages.botan3
    • haskellPackages.botan-low
    • haskellPackages.botan-bindings
    • chickenPackages_5.chickenEggs.botan
    2 months, 2 weeks ago
  • @mweinelt accepted 2 months, 2 weeks ago
  • @mweinelt published on GitHub 2 months, 2 weeks ago
Botan: Case-Insensitive CN Values Bypass DNS excludedSubtrees Name Constraints (RFC 5280 Violation)

Botan is a C++ cryptography library. Prior to version 3.11.0, during processing of an X.509 certificate path using name constraints which restrict the set of allowable DNS names, if no subject alternative name is defined in the end-entity certificate Botan would check that the CN was allowed by the DNS name constraints, even though this check is technically not required by RFC 5280. However this check failed to account for the possibility of a mixed-case CN. Thus a certificate with CN=Sub.EVIL.COM and no subject alternative name would bypasses an excludedSubtrees constraint for evil.com because the comparison is case-sensitive. This issue has been patched in version 3.11.0.

Affected products

botan
  • ==< 3.11.0

Matching in nixpkgs

pkgs.botan3

Cryptographic algorithms library

Ignored packages (9)

Package maintainers

https://github.com/randombit/botan/security/advisories/GHSA-7c3g-7763-ggj5